Terminology

A brief glossary of the terms used in the repository

Data Object: any file available in electronic form (e.g., document, data, media etc.). The repository is designed to contain protocols, analysis plans, templates of consent forms, and other documents associated with a clinical research study, as well as data, including individual participant data (IPD).

Dataset: a data object that contains only data – e.g., a spreadsheet, CSV, JSON or XML file, database dump, etc. In the context of the crDSR, it will usually refer to the file or files of individual participant data from a clinical research study.

Data Object Provider (or ‘Provider’ in short): is an organisation that provides data objects to the crDSR. It must be a legal entity in order to enter into a Data Transfer Agreement with ECRIN. Unless those data objects are already explicitly in the public domain, the Provider is assumed to have the legal power to enter into that agreement, for instance they would hold copyright or intellectual property rights on data objects. For datasets of sensitive personal data, the Provider would be the data controller as defined under the GDPR.

Data Transfer Agreement (DTA): a legal agreement (contract) that governs the transfer of all data objects from the Provider to the crDSR. This agreement will reference the GDPR and associated legislation, and, when applicable, intellectual property law. Each DTA will have an appendix describing the data objects to be transferred to the repository, and – if datasets – whether they are categorised as anonymised or pseudonymised. It will also stipulate any data sharing rules and prerequisites that the Provider wants to impose to Secondary Users.

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. In short it is widely known as the General Data Protection Regulation.

Data Controller: as defined in the GDPR, the term refers to the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Sharing: a shorthand for the secondary use of a data object.

Data Use Agreement (DUA) (also known as Data Access Agreement): a legal agreement (contract) between the Requester and ECRIN the crDSR that governs the secondary use of managed-access data objects within the crDSR. The DUA will include clauses prohibiting any attempt to re-identify individuals within a dataset, stipulate that datasets should be stored securely and destroyed after use, and require that the Provider and the repository are notified of the results of the secondary use.

Data Object Secondary Users (or ‘Secondary Users’ in short): the individuals (most often researchers) seeking to reuse data objects.

Data Object Requester (or ‘Requester’ in short): the organisation arranging re-use of data objects on behalf of researchers, normally their employer.